Guidelines to comply with PCI DSS 3.2

Last updated: 26 September 2017

One of my previous blogs covered the latest changes in PCI DSS 3.2, which are mainly focused on the use of multi-factor authentication (MFA) and greatly expands the need for MFA for individuals accessing cardholder data environment (CDE) from within the office.

The need to apply MFA to additional groups of users and to integrate additional systems is a direct outcome of PCI Supplementary Guidance issued earlier this year, and which goes into effect in February 2018. From that point on, ALL individuals who access systems such as databases, network modules, and email servers which hold credit card data will be required to authenticate themselves with MFA. The new guidelines apply to all roles and locations: privileged users, regular users, remote users and local users.

The purpose of this supplementary guidance is to provide best practices for organizations that need to extend their multi-factor authentication footprints to additional use cases, and for those that are starting to think about how best to comply with PCI DSS’s authentication requirements.

PCI Guidance mentions some key principles about MFA.

MFA mechanism should be independent of each other and cannot compromise each other, i.e. one factor does not rely on another factor for access

Passwords should be secured and difficult to guess. Hardware and biometric data should be kept private and safe from unauthorized replication

Local laws and regulations should be taken into account, as sometimes there can be additional requirements locally.

Taking the above principles into account, below are some best practices:

Organizations that have not yet implemented MFA

Our advice to organizations who don’t have MFA implemented at all, is to select an MFA solution that can address all PCI use cases. Also, it is important to check that the MFA solution under consideration supports a broad range of applications. This will allow IT to deploy a single solution that can address all PCI requirements, for all users and protect the required applications.

Organizations who need to extend MFA to additional use cases

For organization that already have MFA solutions in place, and need to extend MFA to network access, this is an opportunity to consolidate to a single platform that can address PCI and other evolving regulatory requirements. Potential solutions include PKI-based smart cards that can address MFA for network access, privileged access, remote access and logical access with a single solution, thereby reducing management overhead for IT, and providing a very convenient experience for users.